Cisco ASA ARP Cache support

We have numerous ASA-Devices in our network, most of them in a DMZ. We need the possibility to read out the arp cache, because of there’s no DHCP functionality useful. Please add Cisco ASA ARP cache support to IPAM capabilities.

Find more posts tagged with

prodfr

Status: None

Comments

cwood1009

also include Cisco ACE

jamie.burch

I have opened case# 760076 on this issue. See also IPAM V4.2 Neighbor Discovery disappointment with Cisco and IPAM Neighbor discovery with Cisco ASA Firewalls

ARP scanning for these devices should be very easy to implement, but IPAM needs to poll OID 1.3.6.1.2.1.4.35 instead of 1.3.6.1.2.1.4.22.

What currently happens:

IPAM polls device for OID 1.3.6.1.2.1.1.4.0 to check SNMP response. If successful, IPAM polls OID 1.3.6.1.2.1.4.22 for ARP table. If this fails, IPAM assumes no ARP table is available.

All that would need to change is, if 1.3.6.1.2.1.4.22 fails, then poll 1.3.6.1.2.1.4.35 before giving up. The data should be easy enough to parse, as the results in these two tables are nearly identical. See below:

1.3.6.1.2.1.4.22 sample result: .1.3.6.1.2.1.4.22.1.2.89.10.10.66.24 = STRING: 0:6:67:25:55:ab

1.3.6.1.2.1.4.35 sample result: .1.3.6.1.2.1.4.35.1.4.8.1.4.10.10.214.216 = STRING: 0:25:b5:1:0:db

foonly

Jamie -

I'm revisiting this to see if anything has changed in CiscoLand.

I've checked several ASA's for 1.3.6.1.2.1.4.35 via show snmp-server oidlist, and I get nothing. I've also tried ipNetToPhysicalEntry via the Toolset MIB Viewer, and get ** unsupported OID **. I checked the following models and versions:

ASA5510 9.1(6)
ASA5515 9.4(2)
ASA5520 9.1(6)
ASA5585-SSP-20 9.4(1)3, 9.5(2)5 (both admin and context)

On what versions and models of ASA have you been able to get ipNetToPhysicalEntry to work?

thanks,

=Foon=

muckman

Is this still an issue with IPAM 4.3.2?

chris_hamilton

I'm guessing 4.3.2 is affected because I put in a case, sent them the OID info that Cisco sent to me yesterday and was then told that the OID couldn't be changed and that a feature request needed to be added. Told them that it was requested in 2013 and pasted the link to this.

ice.quake

C'mon SolarWinds. Figure this out. Why not use SSH to grab the info from the CLI if SNMP is an issue?

donrobert5

Any news about this?

JustinY

This would be great. We have multiple subnets that are statically assigned IPs only. So DHCP discovery is worthless for those. It would be ideal if IPAM could read the ARP tables of routers, and firewalls to inventory what IP addresses are in use.

Thanks.